gh0strat | c65a6378fc0598b7dbce7c5c7da02e168c7a7a68ca85085eb86b2bca076fa834 | Triage

Submit
Reports

Overview

overview

Static

static

c65a6378fc...34.exe

windows7-x64

c65a6378fc...34.exe

windows10-2004-x64

Sharing

General

Target

c65a6378fc0598b7dbce7c5c7da02e168c7a7a68ca85085eb86b2bca076fa834
Size

1.6MB
Sample

221126-y82zysfd6w
MD5

946fe5fe68faf24c5797c25e5bcb49e0
SHA1

c0dff732a3f1f132a72187d5fc2192737e813928
SHA256

c65a6378fc0598b7dbce7c5c7da02e168c7a7a68ca85085eb86b2bca076fa834
SHA512

99ab38b6379f2105b5b1f20e96613b20ded004f822a4c893cd4e2e17968ae5650a57898db01be4055226afaa03e54901c576f54eca85662e3b37c71b924dbb4c
SSDEEP

24576:IpDXgeS+hlgOFc+k5T+IBLXCgxIo1RtFLUUbYkMJ3IvNcaLLh++woOs6s2E+:mjgkhlgOK/lIonLhbpMRIvyaZO8+

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan

Static task

static1

Behavioral task

behavioral1

Sample

c65a6378fc0598b7dbce7c5c7da02e168c7a7a68ca85085eb86b2bca076fa834.exe

Resource

win7-20221111-en

gh0strat purplefox rat rootkit trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

c65a6378fc0598b7dbce7c5c7da02e168c7a7a68ca85085eb86b2bca076fa834.exe

Resource

win10v2004-20220812-en

gh0strat purplefox persistence rat rootkit trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  c65a6378fc0598b7dbce7c5c7da02e168c7a7a68ca85085eb86b2bca076fa834
- Size
  
  1.6MB
- MD5
  
  946fe5fe68faf24c5797c25e5bcb49e0
- SHA1
  
  c0dff732a3f1f132a72187d5fc2192737e813928
- SHA256
  
  c65a6378fc0598b7dbce7c5c7da02e168c7a7a68ca85085eb86b2bca076fa834
- SHA512
  
  99ab38b6379f2105b5b1f20e96613b20ded004f822a4c893cd4e2e17968ae5650a57898db01be4055226afaa03e54901c576f54eca85662e3b37c71b924dbb4c
- SSDEEP
  
  24576:IpDXgeS+hlgOFc+k5T+IBLXCgxIo1RtFLUUbYkMJ3IvNcaLLh++woOs6s2E+:mjgkhlgOK/lIonLhbpMRIvyaZO8+
Score

10^/10

gh0strat purplefox rat rootkit trojan persistence
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
  persistence
- Deletes itself
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gh0stratpurplefoxratrootkittrojan

behavioral2

gh0stratpurplefoxpersistenceratrootkittrojan

© 2018-2024

Terms | Privacy